Add IAMRA permission set (#1510)

_sub/security/iam-identity-center/dependencies.tf

@@ -0,0 +1,63 @@
+data "aws_organizations_organization" "this" {}
+
+data "aws_iam_policy_document" "IAMRA" {
+ statement {
+ sid = "AllowACMAccess"
+ effect = "Allow"
+ actions = [
+ "acm:ImportCertificate"
+ ]
+ resources = formatlist("arn:aws:acm:*:%s:certificate/*", var.pca_account_ids)
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:PrincipalOrgID"
+ values = [
+ data.aws_organizations_organization.this.id
+ ]
+ }
+ }
+
+ statement {
+ sid = "AllowIssueCertificate"
+ effect = "Allow"
+ actions = [
+ "acm-pca:IssueCertificate"
+ ]
+ resources = var.private_ca_arns
+ condition {
+ test = "StringEquals"
+ variable = "aws:PrincipalOrgID"
+ values = [
+ data.aws_organizations_organization.this.id
+ ]
+ }
+ condition {
+ test = "StringEquals"
+ variable = "acm-pca:TemplateArn"
+ values = [
+ "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
+ ]
+ }
+ }
+
+ statement {
+ sid = "AllowPCAAccess"
+ effect = "Allow"
+ actions = [
+ "acm-pca:DescribeCertificateAuthority",
+ "acm-pca:GetCertificate",
+ "acm-pca:GetCertificateAuthorityCertificate",
+ "acm-pca:ListPermissions",
+ "acm-pca:ListTags"
+ ]
+ resources = var.private_ca_arns
+ condition {
+ test = "StringEquals"
+ variable = "aws:PrincipalOrgID"
+ values = [
+ data.aws_organizations_organization.this.id
+ ]
+ }
+ }
+}

_sub/security/iam-identity-center/main.tf

@@ -42,3 +42,17 @@ resource "aws_ssoadmin_managed_policy_attachment" "supportaccess" {
  permission_set_arn = aws_ssoadmin_permission_set.supportaccess.arn
  managed_policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
 }
+
+resource "aws_ssoadmin_permission_set" "IAMRA" {
+ count = length(var.private_ca_arns) > 0 && length(var.pca_account_ids) > 0 ? 1 : 0
+ name = "IAMRA"
+ description = "The permission set for handling access to PCA accounts for IAM Roles Anywhere"
+ instance_arn = tolist(data.aws_ssoadmin_instances.dfds.arns)[0]
+ session_duration = "PT1H"
+}
+
+resource "aws_ssoadmin_permission_set_inline_policy" "IAMRA" {
+ inline_policy = data.aws_iam_policy_document.IAMRA.json
+ instance_arn = aws_ssoadmin_permission_set.IAMRA.instance_arn
+ permission_set_arn = aws_ssoadmin_permission_set.IAMRA.arn
+}

_sub/security/iam-identity-center/vars.tf

@@ -0,0 +1,11 @@
+variable "pca_account_ids" {
+ type = list(string)
+ description = "The list of account IDs where PCA is deployed"
+ default = []
+}
+
+variable "private_ca_arns" {
+ type = list(string)
+ description = "The list of Private Certificate Authority ARNs"
+ default = []
+}

security/iam-identity-center-master/main.tf

@@ -1,3 +1,6 @@
 module "iam_identity_center" {
  source = "../../_sub/security/iam-identity-center"
+
+ pca_account_ids = var.pca_account_ids
+ private_ca_arns = var.private_ca_arns
 }

security/iam-identity-center-master/vars.tf

@@ -2,6 +2,18 @@ variable "aws_region" {
  type = string
 }
 
+variable "pca_account_ids" {
+ type = list(string)
+ description = "The list of account IDs where PCA is deployed"
+ default = []
+}
+
+variable "private_ca_arns" {
+ type = list(string)
+ description = "The list of Private Certificate Authority ARNs"
+ default = []
+}
+
 variable "tags" {
  type = map(string)
  description = "A map of tags to apply to all the resources deployed by the module"